JavaScript-Mastery-Pro · AradhyaX · Apr 18, 2026 · Apr 18, 2026 · Apr 18, 2026 · Apr 18, 2026
diff --git a/app/api/announcements/[id]/route.ts b/app/api/announcements/[id]/route.ts
@@ -1,10 +1,17 @@
 import { auth } from '@clerk/nextjs/server'
 import { NextRequest, NextResponse } from 'next/server'
 import mongoose from 'mongoose'
+import { z } from 'zod'
 import { connectDB } from '@/lib/mongodb'
 import { Announcement } from '@/models/Announcement'
 
-const ALLOWED_FIELDS = ['title', 'content', 'body', 'audience', 'category', 'pinned', 'expiresAt']
+const AnnouncementUpdateSchema = z.object({
+  title: z.string().min(1).optional(),
+  content: z.string().min(1).optional(),
+  audience: z.string().optional(),
+  category: z.enum(['academic', 'events', 'admin', 'general']).optional(),
+  pinned: z.boolean().optional(),
+})
 
 export async function PUT(req: NextRequest, ctx: { params: Promise<{ id: string }> }) {
   const { userId } = await auth()
@@ -27,17 +34,18 @@ export async function PUT(req: NextRequest, ctx: { params: Promise<{ id: string
       return NextResponse.json({ error: 'Invalid JSON request body' }, { status: 400 })
     }
 
-    // Sanitize: only allow whitelisted fields
-    const sanitizedBody: Record<string, unknown> = {}
-    for (const key of ALLOWED_FIELDS) {
-      if (key in body) {
-        sanitizedBody[key] = body[key]
-      }
+    const parsed = AnnouncementUpdateSchema.safeParse(body)
+    if (!parsed.success) {
+      return NextResponse.json({ error: parsed.error.flatten() }, { status: 400 })
+    }
+
+    if (Object.keys(parsed.data).length === 0) {
+      return NextResponse.json({ error: 'No valid fields to update' }, { status: 400 })
     }
 
     const announcement = await Announcement.findOneAndUpdate(
-      { _id: id },
-      { $set: sanitizedBody },
+      { _id: id, teacherId: userId },
+      { $set: parsed.data },
       { new: true, runValidators: true, context: 'query' }
     )
     if (!announcement) return NextResponse.json({ error: 'Not found' }, { status: 404 })
@@ -63,7 +71,7 @@ export async function DELETE(_req: NextRequest, ctx: { params: Promise<{ id: str
     }
 
     await connectDB()
-    const deleted = await Announcement.findOneAndDelete({ _id: id })
+    const deleted = await Announcement.findOneAndDelete({ _id: id, teacherId: userId })
 
     if (!deleted) {
       return NextResponse.json({ error: 'Not found' }, { status: 404 })

diff --git a/app/api/assignments/[id]/route.ts b/app/api/assignments/[id]/route.ts
@@ -1,10 +1,22 @@
 import { auth } from '@clerk/nextjs/server'
 import { NextRequest, NextResponse } from 'next/server'
 import mongoose from 'mongoose'
+import { z } from 'zod'
 import { connectDB } from '@/lib/mongodb'
 import { Assignment } from '@/models/Assignment'
 
-const ALLOWED_UPDATE_FIELDS = ['title', 'description', 'dueDate', 'deadline', 'subject', 'class', 'status', 'kanbanStatus', 'maxMarks']
+const AssignmentUpdateSchema = z.object({
+  title: z.string().min(1).optional(),
+  description: z.string().optional(),
+  subject: z.string().min(1).optional(),
+  class: z.string().min(1).optional(),
+  deadline: z.string().min(1).refine((value) => !Number.isNaN(Date.parse(value)), {
+    message: 'Invalid deadline',
+  }).optional(),
-  deadline: z.string().min(1).refine((value) => !Number.isNaN(Date.parse(value)), {
-    message: 'Invalid deadline',
-  }).optional(),
+  deadline: z.string().datetime().optional(),
-  deadline: z.string().min(1).refine((value) => !Number.isNaN(Date.parse(value)), {
-    message: 'Invalid deadline',
-  }).optional(),
+  deadline: z.union([
+    z.string().date(),
+    z.string().datetime(),
+  ]).optional(),
-  deadline: z.string().min(1).refine((value) => !Number.isNaN(Date.parse(value)), {
-    message: 'Invalid deadline',
-  }).optional(),
+  deadline: z.string().datetime().optional(),
-  deadline: z.string().min(1).refine((value) => !Number.isNaN(Date.parse(value)), {
-    message: 'Invalid deadline',
-  }).optional(),
+  deadline: z.union([
+    z.string().date(),
+    z.string().datetime(),
+  ]).optional(),
+  maxMarks: z.number().min(1).optional(),
+  status: z.enum(['active', 'closed']).optional(),
+  kanbanStatus: z.enum(['todo', 'in_progress', 'submitted']).optional(),
+})
 
 export async function PUT(req: NextRequest, ctx: { params: Promise<{ id: string }> }) {
   const { userId } = await auth()
@@ -27,18 +39,19 @@ export async function PUT(req: NextRequest, ctx: { params: Promise<{ id: string
       return NextResponse.json({ error: 'Invalid JSON in request body' }, { status: 400 })
     }
 
-    // Sanitize: only allow whitelisted fields
-    const sanitizedBody: Record<string, unknown> = {}
-    for (const key of ALLOWED_UPDATE_FIELDS) {
-      if (key in body) {
-        sanitizedBody[key] = body[key]
-      }
+    const parsed = AssignmentUpdateSchema.safeParse(body)
+    if (!parsed.success) {
+      return NextResponse.json({ error: parsed.error.flatten() }, { status: 400 })
+    }
+
+    if (Object.keys(parsed.data).length === 0) {
+      return NextResponse.json({ error: 'No valid fields to update' }, { status: 400 })
     }
 
     const assignment = await Assignment.findOneAndUpdate(
-      { _id: id },
-      sanitizedBody,
-      { new: true }
+      { _id: id, teacherId: userId },
+      { $set: parsed.data },
+      { new: true, runValidators: true, context: 'query' }
     )
     if (!assignment) return NextResponse.json({ error: 'Not found' }, { status: 404 })
     return NextResponse.json(assignment)
@@ -63,7 +76,7 @@ export async function DELETE(_req: NextRequest, ctx: { params: Promise<{ id: str
     }
 
     await connectDB()
-    const deleted = await Assignment.findOneAndDelete({ _id: id })
+    const deleted = await Assignment.findOneAndDelete({ _id: id, teacherId: userId })
 
     if (!deleted) {
       return NextResponse.json({ error: 'Not found' }, { status: 404 })

diff --git a/app/api/assignments/route.ts b/app/api/assignments/route.ts
@@ -9,7 +9,9 @@ const AssignmentSchema = z.object({
   description: z.string().optional(),
   subject: z.string().min(1),
   class: z.string().min(1),
-  deadline: z.string().min(1),
+  deadline: z.string().min(1).refine((value) => !Number.isNaN(Date.parse(value)), {
+    message: 'Invalid deadline',
+  }),
-  deadline: z.string().min(1).refine((value) => !Number.isNaN(Date.parse(value)), {
-    message: 'Invalid deadline',
-  }),
+  deadline: z.string().datetime(),
-  deadline: z.string().min(1).refine((value) => !Number.isNaN(Date.parse(value)), {
-    message: 'Invalid deadline',
-  }),
+  deadline: z.union([z.string().date(), z.string().datetime()]),
-  deadline: z.string().min(1).refine((value) => !Number.isNaN(Date.parse(value)), {
-    message: 'Invalid deadline',
-  }),
+  deadline: z.string().datetime(),
-  deadline: z.string().min(1).refine((value) => !Number.isNaN(Date.parse(value)), {
-    message: 'Invalid deadline',
-  }),
+  deadline: z.union([z.string().date(), z.string().datetime()]),
   maxMarks: z.number().min(1).optional(),
   status: z.enum(['active', 'closed']).optional(),
   kanbanStatus: z.enum(['todo', 'in_progress', 'submitted']).optional(),
@@ -52,7 +54,7 @@ export async function GET(req: NextRequest) {
     if (error instanceof Error) {
       console.error('GET /api/assignments error:', error.message)
     }
-    return NextResponse.json({ error: error instanceof Error ? error.stack : 'Internal server error' }, { status: 500 })
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
   }
 }
 

diff --git a/app/api/attendance/route.ts b/app/api/attendance/route.ts
@@ -1,11 +1,16 @@
 import { auth } from '@clerk/nextjs/server'
 import { NextRequest, NextResponse } from 'next/server'
+import mongoose from 'mongoose'
 import { connectDB } from '@/lib/mongodb'
 import { Attendance } from '@/models/Attendance'
 import { z } from 'zod'
 
+const StudentIdSchema = z.string().refine((value) => mongoose.Types.ObjectId.isValid(value), {
+  message: 'Invalid studentId',
+})
+
 const AttendanceSchema = z.object({
-  studentId: z.string().min(1),
+  studentId: StudentIdSchema,
-import mongoose from 'mongoose'
-import { connectDB } from '@/lib/mongodb'
-import { Attendance } from '@/models/Attendance'
-import { z } from 'zod'
-
-const StudentIdSchema = z.string().refine((value) => mongoose.Types.ObjectId.isValid(value), {
-  message: 'Invalid studentId',
-})
-
-const AttendanceSchema = z.object({
-  studentId: z.string().min(1),
-  studentId: StudentIdSchema,
+import { connectDB } from '@/lib/mongodb'
+import { Attendance } from '@/models/Attendance'
+import { z } from 'zod'
+
+const StudentIdSchema = z.string().regex(/^[0-9a-fA-F]{24}$/, {
+  message: 'Invalid studentId',
+})
+
+const AttendanceSchema = z.object({
+  studentId: StudentIdSchema,
-import mongoose from 'mongoose'
-import { connectDB } from '@/lib/mongodb'
-import { Attendance } from '@/models/Attendance'
-import { z } from 'zod'
-
-const StudentIdSchema = z.string().refine((value) => mongoose.Types.ObjectId.isValid(value), {
-  message: 'Invalid studentId',
-})
-
-const AttendanceSchema = z.object({
-  studentId: z.string().min(1),
-  studentId: StudentIdSchema,
+import { connectDB } from '@/lib/mongodb'
+import { Attendance } from '@/models/Attendance'
+import { z } from 'zod'
+
+const StudentIdSchema = z.string().regex(/^[0-9a-fA-F]{24}$/, {
+  message: 'Invalid studentId',
+})
+
+const AttendanceSchema = z.object({
+  studentId: StudentIdSchema,
   studentName: z.string().min(1),
   class: z.string().min(1),
   date: z.string().min(1),
@@ -30,6 +35,13 @@ export async function GET(req: NextRequest) {
 
     const query: Record<string, unknown> = { teacherId: userId };
 
+    if (studentId && !mongoose.Types.ObjectId.isValid(studentId)) {
+      return NextResponse.json(
+        { error: "Invalid studentId" },
+        { status: 400 },
+      );
+    }
+
     // Helper to validate and normalize date strings to YYYY-MM-DD format
     const normalizeDate = (dateStr: string): string | null => {
       try {

diff --git a/app/api/grades/[id]/route.ts b/app/api/grades/[id]/route.ts
@@ -3,8 +3,31 @@ import { NextRequest, NextResponse } from 'next/server'
 import mongoose from 'mongoose'
 import { connectDB } from '@/lib/mongodb'
 import { Grade } from '@/models/Grade'
+import { z } from 'zod'
 
-const ALLOWED_UPDATE_FIELDS = ['marks', 'maxMarks', 'grade']
+const StudentIdSchema = z.string().refine((value) => mongoose.Types.ObjectId.isValid(value), {
+  message: 'Invalid studentId',
+})
+
+const GradeUpdateSchema = z.object({
+  studentId: StudentIdSchema.optional(),
+  studentName: z.string().min(1).optional(),
+  subject: z.string().min(1).optional(),
+  marks: z.number().min(0).optional(),
+  maxMarks: z.number().min(1).optional(),
+  term: z.string().min(1).optional(),
+})
+
+function calcGrade(marks: number, max: number): string {
+  const pct = (marks / max) * 100
+  if (pct > 90) return 'A+'
+  if (pct >= 80) return 'A'
+  if (pct >= 70) return 'B+'
+  if (pct >= 60) return 'B'
+  if (pct >= 50) return 'C'
+  if (pct >= 40) return 'D'
+  return 'F'
+}
 
 export async function PUT(req: NextRequest, ctx: { params: Promise<{ id: string }> }) {
   const { userId } = await auth()
@@ -15,7 +38,7 @@ export async function PUT(req: NextRequest, ctx: { params: Promise<{ id: string
 
     // Validate ObjectId
     if (!mongoose.Types.ObjectId.isValid(id)) {
-      return NextResponse.json({ error: 'Not found' }, { status: 404 })
+      return NextResponse.json({ error: 'Invalid id' }, { status: 400 })
     }
 
     let body
@@ -25,26 +48,47 @@ export async function PUT(req: NextRequest, ctx: { params: Promise<{ id: string
       return NextResponse.json({ error: 'Invalid JSON in request body' }, { status: 400 })
     }
 
-    // Sanitize: only allow whitelisted fields
-    const sanitizedBody: Record<string, unknown> = {}
-    for (const key of ALLOWED_UPDATE_FIELDS) {
-      if (key in body) {
-        sanitizedBody[key] = body[key]
-      }
+    const parsed = GradeUpdateSchema.safeParse(body)
+    if (!parsed.success) {
+      return NextResponse.json({ error: parsed.error.flatten() }, { status: 400 })
+    }
+
+    if (Object.keys(parsed.data).length === 0) {
+      return NextResponse.json({ error: 'No valid fields to update' }, { status: 400 })
     }
 
     await connectDB()
+    const existing = await Grade.findOne({ _id: id, teacherId: userId })
+    if (!existing) return NextResponse.json({ error: 'Not found' }, { status: 404 })
+
+    const marks = parsed.data.marks ?? existing.marks
+    const maxMarks = parsed.data.maxMarks ?? existing.maxMarks
+    if (marks > maxMarks) {
+      return NextResponse.json(
+        { error: { fieldErrors: { marks: ['marks must be less than or equal to maxMarks'] } } },
+        { status: 400 },
+      )
+    }
+
     const grade = await Grade.findOneAndUpdate(
-      { _id: id },
-      sanitizedBody,
-      { new: true }
+      { _id: id, teacherId: userId },
+      {
+        $set: {
+          ...parsed.data,
+          grade: calcGrade(marks, maxMarks),
+        },
+      },
+      { new: true, runValidators: true, context: 'query' }
     )
     if (!grade) return NextResponse.json({ error: 'Not found' }, { status: 404 })
     return NextResponse.json(grade)
   } catch (error) {
     if (error instanceof Error) {
       console.error('PUT /api/grades/[id] error:', error.message)
     }
+    if ((error as { code?: number }).code === 11000) {
+      return NextResponse.json({ error: 'A grade for this student, subject, and term already exists' }, { status: 409 })
+    }
     return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
   }
 }
@@ -55,8 +99,13 @@ export async function DELETE(_req: NextRequest, ctx: { params: Promise<{ id: str
 
   try {
     const { id } = await ctx.params
+
+    if (!mongoose.Types.ObjectId.isValid(id)) {
+      return NextResponse.json({ error: 'Invalid id' }, { status: 400 })
+    }
+
     await connectDB()
-    const deleted = await Grade.findOneAndDelete({ _id: id })
+    const deleted = await Grade.findOneAndDelete({ _id: id, teacherId: userId })
 
     if (!deleted) {
       return NextResponse.json({ error: 'Grade not found' }, { status: 404 })

diff --git a/app/api/grades/route.ts b/app/api/grades/route.ts
@@ -1,18 +1,23 @@
 import { auth } from '@clerk/nextjs/server'
 import { NextRequest, NextResponse } from 'next/server'
+import mongoose from 'mongoose'
 import { connectDB } from '@/lib/mongodb'
 import { Grade } from '@/models/Grade'
 import { z } from 'zod'
 
+const StudentIdSchema = z.string().refine((value) => mongoose.Types.ObjectId.isValid(value), {
+  message: 'Invalid studentId',
+})
+
 const GradeSchema = z.object({
-  studentId: z.string().min(1),
+  studentId: StudentIdSchema,
   studentName: z.string().min(1),
   subject: z.string().min(1),
   marks: z.number().min(0),
   maxMarks: z.number().min(1).optional(),
   term: z.string().optional(),
 }).refine(
-  (data) => !data.maxMarks || data.marks <= data.maxMarks,
+  (data) => data.marks <= (data.maxMarks ?? 100),
   {
     message: 'marks must be less than or equal to maxMarks',
     path: ['marks'],
@@ -40,6 +45,10 @@ export async function GET(req: NextRequest) {
     const studentId = searchParams.get('studentId')
     const subject = searchParams.get('subject')
 
+    if (studentId && !mongoose.Types.ObjectId.isValid(studentId)) {
+      return NextResponse.json({ error: 'Invalid studentId' }, { status: 400 })
+    }
+
     const query: Record<string, unknown> = { teacherId: userId }
     if (studentId) query.studentId = studentId
     if (subject) query.subject = subject
@@ -48,7 +57,7 @@ export async function GET(req: NextRequest) {
     return NextResponse.json(grades)
   } catch (error) {
     console.error('GET /api/grades error:', error instanceof Error ? error.message : error)
-    return NextResponse.json({ error: error instanceof Error ? error.stack : 'Internal server error' }, { status: 500 })
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
   }
 }
 
@@ -70,19 +79,19 @@ export async function POST(req: NextRequest) {
     if (!parsed.success) return NextResponse.json({ error: parsed.error.flatten() }, { status: 400 })
 
     const data = parsed.data
-    const max = data.maxMarks!
+    const max = data.maxMarks ?? 100
     const term = data.term ?? 'Term 1'
 
-    const grade = Grade.findOneAndUpdate(
+    const grade = await Grade.findOneAndUpdate(
       { teacherId: userId, studentId: data.studentId, subject: data.subject, term },
-      { $set: { ...data, term, teacherId: userId, grade: calcGrade(data.marks, max) } },
-      { upsert: true, new: true }
+      { $set: { ...data, maxMarks: max, term, teacherId: userId, grade: calcGrade(data.marks, max) } },
+      { upsert: true, new: true, runValidators: true, context: 'query', setDefaultsOnInsert: true }
     )
     return NextResponse.json(grade, { status: 201 })
   } catch (error) {
     if (error instanceof Error) {
       console.error('POST /api/grades error:', error.message)
     }
-    return NextResponse.json({ error: error instanceof Error ? error.stack : 'Internal server error' }, { status: 500 })
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
   }
 }
diff --git a/app/api/profile/route.ts b/app/api/profile/route.ts
@@ -3,15 +3,8 @@ import { NextRequest, NextResponse } from 'next/server'
 import { connectDB } from '@/lib/mongodb'
 import { Teacher } from '@/models/Teacher'
 
-export async function GET(req: NextRequest) {
-  const { searchParams } = new URL(req.url)
-  const queryUserId = searchParams.get('userId')
-
-  let userId: string | null = queryUserId
-  if (!userId) {
-    const session = await auth()
-    userId = session.userId
-  }
+export async function GET(_req: NextRequest) {
+  const { userId } = await auth()
   if (!userId) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
 
   try {
@@ -20,6 +13,9 @@ export async function GET(req: NextRequest) {
 
     if (!teacher) {
       const clerkUser = await currentUser()
+      if (!clerkUser) {
+        return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+      }
       const created = await Teacher.create({
         clerkId: userId,
         name: clerkUser?.fullName ?? '',